App Locker Path Exception issue

I'm using App Locker to secure my workstations, primarily as an anti-malware step, and it works very well.

I now have a new piece of software, that upon login, copies a batch file to the users %TEMP% directory, and runs it.

Of course, that's one of the directories that I have prevented batch files from running, so now I'm trying to allow just this batch file to run, as I know it is known good. I cannot change the location where this batch file runs, the software maker does not allow for that type of modification.

Oh, and to just make it slightly harder, when the software copies the batch file to the TEMP dir, it uses a new file name every time (however there is a consistent file naming convention, so I'm hoping to use that to key in on this)

Here is what I've done. I create an App Locker script deny rule, that denies scripts from running from this directory:

%OSDRIVE%\Users\*\AppData\Local\Temp\*

That works beautifully. No batch files (or any other scripts) can run.

Next step, allow all batch files by putting in this exception:

%OSDRIVE%\Users\*\AppData\Local\Temp\*.bat

That also works perfectly. All batch files can run, but no other scripts.

Last step is to pin it down to only the known good batch files, that get copied upon login. The batch files are always named like this: "ABC12ws.bat" or "ABCh42s.bat". The common thread is they always start with "ABC" then followed by 4 randomly generated characters, then the .bat.

So I thought I could easily modify my exception like this:

%OSDRIVE%\Users\*\AppData\Local\Temp\ABC*.bat

Unfortunately, for some reason, that allows all batch files to still be run. My guess is it sees the wildcard, and just ignores the fact that I have 3 characters preceding it.

Is there a way I can put in an exception to my path rule, that will let me run batch files that use the name ABCxxxx.bat but block all other batch files?

This is a guide to the following problem (not exclusive but here) on Windows:
Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge.
Any admin who takes se…

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…

The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7.
Start the SARDU utility:
Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…